The malware may steal your information by recording your usernames and passwords. After removal of the threat you should change your passwords. Please refer to the following advisory for tips on how to create and use passwords:

The trojan creates a mutex named "Global\<Machine_GUID><hardcoded_value><current_process_id>", to make detection more difficult. These values are uniquely identify your computer and will change from computer to computer. An example could be Global\{25892e17-80f6-415f-9c65-7395632f0223}gfdgfdgdfg4a4.

It attempts to inject its payload into the following files:

Explorer.exe

Firefox.exe

Iexplore.exe

Mozilla.

Payload

Downloads files

The trojan contacts a remote host specified in its configuration file.

We have seen it contact the following servers:

grek.uni.me/bablo/dropper/data.php

151.248.114.105/<removed>/dropper/data.php

188.225.36.240/k1/d6154765172/<removed>.php

188.225.36.241/k1/d6154765172/<removed>.php

188.225.36.242/k1/d6154765172/<removed>.php

The configuration file may include the following instructions:

Download and install files

Download and install modules

Update the trojan

Inject itself into processes using different methods

Send logs of its activity to a remote server

Write to a configuration file

The downloaded configuration file is stored in %ALLUSERPROFILE%\<random_letters>.cfg. The file is encrypted using a version of the RC4 encryption algorithm and the key is generated using you computer's GUID to make it difficult to decrypt.

Additional information

The trojan configuration file has the following format:

<marker>srvurls=<url that may retrieve another configuration file>srvdelay=<digits>srvretry=<digits>buildid=<identifier>fpicptr=<API>